Even if the infected firmware couldn’t help attackers work their way into the operating system and the apps on the device itself, a hacked Wi-Fi card is a worrying thought.

If a crook had complete control over your wireless hardware, then going online via Wi-Fi would be like connecting via the dodgiest access point you could imagine, at the most dubious coffee shop you could think of, all the time.

Google patched its own Android devices about three weeks ago, which is when BroadPwn was announced; Apple followed suit for iPhone and iOS users with this week’s update to iOS 10.3.3.

Apple laptops with Broadcom wireless chips were also at risk from the BroadPwn attack; Mac users received the same fix in the update to macOS 10.12.6.

The second BWAIN of the past month was Orpheus’ Lyre, which we’ve been calling OL for short (to avoid that pesky apostrophe), whereby a crook inside your network might – admittedly with some difficulty – trick unpatched users into going to the wrong server by exploiting a bug in the network authentication protocol Kerberos.

It doesn’t look as though Apple was able to patch OL in time for the iOS 10.3.3 and macOS 10.12.6 updates, but that’s not surprising given that OL was only made public this week, after Microsoft published its patch for the hole.

The discoverers of OL haven’t explicitly said whether Apple’s operating systems are vulnerable or not, though we suspect they are. Because Apple generally doesn’t comment on security holes and fixes until the patches are published, we can’t yet tell what to expect from Apple’s side.

As usual, of course, Apple’s updates includes dozens of patches that were for bugs that didn’t have impressive names, many of which we consider much more serious than OL.

Thes critical bugs that were fixed included several kernel vulnerabilities in both macOS and iOS that has opened up remote code execution (RCE) holes.

RCE generally means that an outsider can trick your computer into running malware without waiting for you to initiate a download or to click through to launch a file – so that you don’t see any sort of warning that might let you head off the attack.

Worse still, an RCE at kernel level pretty much means that attackers can take over your whole device, given that the kernel is the heart of the operating system, and is itself responsible for enforcing the security of, and the separation between, different apps.

In other words, as we never tire of saying, “Patch early, patch often.”

If it’s any comfort, we applied the macOS and iOS updates within two minutes of receiving Apple’s official notification emails, with no ill-effects whatsoever.

To check that you’re up to date, or to fire off an update if you aren’t: on an iPhone, go to Settings | General | Software Update; on a Mac, use Apple icon | About This Mac | Software Update....

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

3 comments on “Something for the weekend? How about an Apple patch for BroadPwn?”

Doesn’t help those of us still using old Apple hardware that they (Apple) have abandoned and discarded like yesterday’s trash. I guess when you have billions of dollars of cash on hand, you can wave your hand and just cut off those that helped you grow that cash stash and leave them out in the cold.

Computer hardware has fairly limited lifespans. If you buy apple, that span ends in the bin, its part of the deal, along with being stuck in their walled garden along with all your music.

A windows pc of the same era would be entirely new on the inside as a minimum to avoid the same lack of support issue, however, and any mobile device from iPhone through blackberries to the then-top-of-the-line droid is probably nearly useless by now.

Unrelated: I feel like someone is failing pretty hard by disclosing to one company when its something like a kerberos fail and not sharing that to the others before going public with a flashy name. Thoughts, anyone?

Let’s give them the benefit of the doubt (if you mean that the Orpheus’s Lyre guys are the ones “failing pretty hard”) and assume they clearly and openly informed everyone who owned or looked after a Kerberos implementation.

IIRC the bug was first reported back on 12 April 2017 – at least that’s when the patch was put into the Heimdal source code, which is a matter of public record – and the flashy name only appeared three months later. (For better or worse, 90 days is considered a normal time to leave for patches to come out; Microsoft and others managed to fix it in this timeframe, FWIW.)

The flashy name, the fancy logo, the PR-oriented website, the ukulele-pretending-to-be-a-lyre theme tune they gave to the bug… yes, you can dislike all that stuff and call it cheesy, and you’d be right, but to call it “failing hard” and to say it was “not shared with the others before going public” is IMO unfair.

Apple chooses not to comment at all on security bugs (except in rare cases when community pressure forces the issue) until it has replicated, analysed, undserstood, patched *and published the patch* for them.

So we don’t know whether Apple has been working on this and simply didn’t make the 90-day deadline; hadn’t noticed it until recently and is frantically trying to fix it as we speak; had a patch nearly ready but not ready enough to have made 10.12.6; or has configured its own build of Heimdal Kerberos so it just happens to be invulnerable.

My own opinion is that Apple should be more proactive in its communication when there are security holes that we know or reasonably suspect apply to iOS or macOS – indeed, we’ve argued this point several times before on Naked Security – but the company has made its choice about keeping schtumm on security and is so far sticking to it.